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1 (Original): A method for protecting the configuration of a securable object in an operating 
system from members of a locally privileged group, wherein a security descriptor for the 
securable object includes a discretionary access control list (DACL), the method comprising: 

making a copy of the security descriptor; 

adding a new access control entry (ACE) to the DACL in said copy, wherein said new 
ACE specifies denying the locally privileged group an access right to the 
securable object; and 

overwriting the security descriptor in the operating system with said copy. 

2 (Currently amended): The method of claim 1, further comprising: 

determining the a relative identifier (RID) of the securable object; and 
finding the security descriptor for the securable object based on said RID. 

3 (Original): The method of claim 1, further comprising examining the DACL to discover 
whether said access right is already denied. 

4 (Currently amended): The method of claim 1, wherein said new ACE is added as the a first 
ACE in the DACL. 

5 (Currently amended): The method of claim 1, wherein the securable object is a group other 
than the a local administrators group. 

6 (Original): The method of claim 5, wherein said group is a domain administrator group. 

7 (Original): The method of claim 6, wherein said domain administrator group is a remotely 
hosted group, and the method further comprising adding said new ACEs to the DACL in said 
copy to deny all local groups said access right to the securable object. 

8 (Original): The method of claim 5, wherein said access right includes a right to change 
permissions of said group. 
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9 (Original): The method of claim 7, wherein said access right also includes a right to view 
permissions of said group. 

10 (Original): The method of claim 1, wherein a single software tool performs the method. 

1 1 (Original): A computer program, embodied on a computer readable storage medium, for 
protecting the configuration of a securable object in an operating system from members of a 
locally privileged group, wherein a security descriptor for the securable object includes a 
discretionary access control list (DACL), the computer program comprising: 

a code segment makes a copy of the security descriptor; 

a code segment that adds a new access control entry (ACE) to the DACL in said copy, 
wherein said new ACE specifies denying the locally privileged group an access 
right to the securable object; and 

a code segment that overwrites the security descriptor in the operating system with said 
copy. 

12 (Currently amended): The computer program of claim 11, further comprising: 

a code segment that determines the a relative identifier (RID) of the securable object; and 
a code segment that finds the security descriptor for the securable object based on said 
RID. 

13 (Original): The computer program of claim 11, further comprising a code segment that 
examines the DACL to discover whether said access right is already denied. 

14 (Currently amended): The computer program of claim 11, further comprising a code segment 
that provides that said new ACE is added as the a first ACE in the DACL. 

15 (Currently amended): The computer program of claim 11, wherein the securable object is a 
group other than the a local administrators group. 
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16 (Original): The computer program of claim 15, wherein said group is a domain administrator 
group. 

17 (Original): The computer program of claim 16, wherein said domain administrator group is a 
remotely hosted group, and said code segment that adds further adds said new ACEs to the 
DACL in said copy to deny all local groups said access right to the securable object. 

18 (Original): The computer program of claim 15, wherein said access right includes a right to 
change permissions of said group. 

19 (Original): The computer program of claim 1 8, wherein said access right also includes a right 
to view permissions of said group. 

20 (Original): The computer program of claim 11, wherein all said code segments are part of a 
single software tool. 

21 (Original): A system for protecting the configuration of a securable object in an operating 
system of a computer from members of a locally privileged group, wherein a security descriptor 
for the securable object includes a discretionary access control list (DACL), the system 
comprising: 

means for making a copy of the security descriptor; 

means for adding a new access control entry (ACE) to the DACL in said copy, wherein 

said new ACE specifies denying the locally privileged group an access right to the 
securable object; and 

means for overwriting the security descriptor in the operating system of the computer 
with said copy. 

22 (Currently amended): The system of claim 21, further comprising: 

means for determining the a relative identifier (RID) of the securable object; and 
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means for finding the security descriptor for the securable object based on said RID. 

23 (Original): The system of claim 21, further comprising means for examining the DACL to 
discover whether said access right is already denied. 

24 (Currently amended): The system of claim 21, further comprising means for providing that 
said new ACE is added as the a first ACE in the DACL. 

25 (Currently amended): The system of claim 21, wherein the securable object is a group other 
than the a local administrators group. 

26 (Original): The system of claim 25, wherein said group is a domain administrator group. 

27 (Original): The system of claim 26, wherein said domain administrator group is a remotely 
hosted group, and said means that adds further adds said new ACEs to the DACL in said copy to 
deny all local groups said access right to the securable object. 

28 (Original): The system of claim 25, wherein said access right includes a right to change 
permissions of said group. 

29 (Original): The system of claim 28, wherein said access right also includes a right to view 
permissions of said group. 

30 (Original): The system of claim 21, wherein said means are comprised within a single 
software tool. 
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